1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy

Stefan Berger posted 4 patches 2 years, 8 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/edk2 tags/patchew/20210809163718.874512-1-stefanb@linux.vnet.ibm.com
There is a newer version of this series
OvmfPkg/AmdSev/AmdSevX64.dsc                  |   3 +
.../Include/Library/TpmPlatformHierarchyLib.h |  27 +++
.../PeiDxeTpmPlatformHierarchyLib.c           | 210 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf         |  40 ++++
.../PeiDxeTpmPlatformHierarchyLib.c           |  19 ++
.../PeiDxeTpmPlatformHierarchyLib.inf         |  31 +++
.../PlatformBootManagerLib/BdsPlatform.c      |   6 +
.../PlatformBootManagerLib.inf                |   1 +
.../PlatformBootManagerLibBhyve/BdsPlatform.c |   6 +
.../PlatformBootManagerLibGrub/BdsPlatform.c  |   6 +
OvmfPkg/OvmfPkgIa32.dsc                       |   3 +
OvmfPkg/OvmfPkgIa32X64.dsc                    |   3 +
OvmfPkg/OvmfPkgX64.dsc                        |   3 +
13 files changed, 358 insertions(+)
create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
[edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy
Posted by Stefan Berger 2 years, 8 months ago 
This series imports code from the edk2-platforms project related to
changing the password of the TPM2 platform hierarchy and uses it to
disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
aspects of the following bugs:

https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499

Regards,
  Stefan

Stefan Berger (4):
  OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
    edk2-platforms
  OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
  OvmfPkg: Reference new TPM classes in the build system for compilation
  OvmfPkg: Disable the TPM2 platform hierarchy

 OvmfPkg/AmdSev/AmdSevX64.dsc                  |   3 +
 .../Include/Library/TpmPlatformHierarchyLib.h |  27 +++
 .../PeiDxeTpmPlatformHierarchyLib.c           | 210 ++++++++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.inf         |  40 ++++
 .../PeiDxeTpmPlatformHierarchyLib.c           |  19 ++
 .../PeiDxeTpmPlatformHierarchyLib.inf         |  31 +++
 .../PlatformBootManagerLib/BdsPlatform.c      |   6 +
 .../PlatformBootManagerLib.inf                |   1 +
 .../PlatformBootManagerLibBhyve/BdsPlatform.c |   6 +
 .../PlatformBootManagerLibGrub/BdsPlatform.c  |   6 +
 OvmfPkg/OvmfPkgIa32.dsc                       |   3 +
 OvmfPkg/OvmfPkgIa32X64.dsc                    |   3 +
 OvmfPkg/OvmfPkgX64.dsc                        |   3 +
 13 files changed, 358 insertions(+)
 create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf

-- 
2.31.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78978): https://edk2.groups.io/g/devel/message/78978
Mute This Topic: https://groups.io/mt/84773154/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy
Posted by James Bottomley 2 years, 8 months ago 
On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
> This series imports code from the edk2-platforms project related to
> changing the password of the TPM2 platform hierarchy and uses it to
> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
> aspects of the following bugs:
> 
> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
> https://bugzilla.tianocore.org/show_bug.cgi?id=3499

This raises a couple of issues:

   1. Since OVMF is for all x86 virtual platforms not just the PC ones,
      should it be following the PC client spec for everything?  I notice
      you left out Xen and Bhyve ... should they never follow this?
   2. Since OVMF is effectively both the platform and the firmware, what
      attitude should we take to code in edk2-platforms?  There are
      arguments for pulling all the necessary components into OVMF, but it
      could also be argued that the VMM should take care of all the edk2-
      platforms pieces and OVMF should be strictly firmware.

Getting 2. sorted out is probably the more pressing policy issue for
us.

James




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78983): https://edk2.groups.io/g/devel/message/78983
Mute This Topic: https://groups.io/mt/84773154/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy
Posted by Stefan Berger 2 years, 8 months ago 
On 8/9/21 1:54 PM, James Bottomley wrote:
> On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
>> This series imports code from the edk2-platforms project related to
>> changing the password of the TPM2 platform hierarchy and uses it to
>> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
>> aspects of the following bugs:
>>
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3499
> This raises a couple of issues:
>
>     1. Since OVMF is for all x86 virtual platforms not just the PC ones,
>        should it be following the PC client spec for everything?  I notice
>        you left out Xen and Bhyve ... should they never follow this?

I am not sure how to build Bhyve but one part of the patch is already 
there for it in this series:


If this is how you build Bhyve I am getting a build failure already 
before these patches here are applied.

build -p OvmfPkg/Bhyve/BhyveX64.dsc -b DEBUG -a X64 -t GCC5 -D 
TPM_ENABLE -D TPM_CONFIG_ENABLE -D SECURE_BOOT_ENABLE -D 
NETWORK_TLS_ENABLE 2>&1 | tee build.log
Build environment: Linux-5.12.14-300.fc34.x86_64-x86_64-with-glibc2.33
Build start time: 14:21:41, Aug.09 2021

WORKSPACE        = /home/stefanb/dev/edk2
EDK_TOOLS_PATH   = /home/stefanb/dev/edk2/BaseTools
CONF_PATH        = /home/stefanb/dev/edk2/Conf
PYTHON_COMMAND   = /usr/bin/python3.9


Processing meta-data .
Architecture(s)  = X64
Build target     = DEBUG
Toolchain        = GCC5

Active Platform          = /home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc


build.py...
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc(198): error 000E: 
File/directory not found in workspace
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf


>     2. Since OVMF is effectively both the platform and the firmware, what
>        attitude should we take to code in edk2-platforms?  There are
>        arguments for pulling all the necessary components into OVMF, but it
>        could also be argued that the VMM should take care of all the edk2-
>        platforms pieces and OVMF should be strictly firmware.

That's what I had been wondering about in V1 as well. This import here 
now followed the option 2 in that discussion and I cut out basically 
only the function that disables the platform hierarchy rather than 
setting a random password, which I kept since it didn't seem to require 
further dependencies. to be imported from edk2-platforms.


>
> Getting 2. sorted out is probably the more pressing policy issue for
> us.
>
> James
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78984): https://edk2.groups.io/g/devel/message/78984
Mute This Topic: https://groups.io/mt/84773154/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.